SNHU - TCP/IP Protocols - The Core

Protocols

Introduction

Objective

CompTIA Network + Domain:

Domain 5: Industry Standards, Practices, and Network Theory

CompTIA Network + Objective:

Objective 5.2: Explain the basics of network theory and concepts.

Overview

This lab is part of a series of lab exercises designed to supplement coursework and provide

students with a hands-on training experience based on real-world applications. This series of

lab exercises is intended to support courseware for CompTIA Network+

certiﬁcation.

This lab will review protocols that operate at the internetwork and transport layers of TCP/IP.

These protocols are internetwork layer protocols such as ARP, ICMP, and IP and at the

transport layer, UDP and TCP. Students will review IP address conﬁguration, discover facts

about network communication using ICMP and the ping utility, and will examine the TCP/IP

layers and become familiar with their status and function on a network.

This lab includes the following tasks:

Use network utilities and protocols from the TCP/IP suite

Use a network packet analyzer, Wireshark

, to examine the ARP protocol

Capture and analyze transport layer packets

Use Network Utilities and Protocols from the TCP/IP Suite

The ipconﬁg command allows you to view your network conﬁgurations and to test

communication with other computers. Used on its own, the ipconﬁg command shows basic

information such as the name of the network interface, the IP address, the subnet mask, and

the default gateway. Combined with the /all switch, it shows a detailed set of information

about the TCP/IP settings. The ipconﬁg command lists the IP address conﬁguration for your

computer’s network interfaces along with other network settings.

Using ipconﬁg to Locate and Document Your TCP/IP Settings

Click on the Internal 192.168.12.10Windows Server icon on the topology diagram.

Click the Send Ctrl+Alt+Delete button in the upper-right corner of the viewer

window.

In the password text box, type

P@ssw0rd

and press Enter to log in.

Click on Start. In the Search dialog box, type

cmd

and press Enter to open the

command prompt.

Type

ipconfig

at the prompt and press Enter. This will display a list of IP address

conﬁgurations for your network adapter(s).

Type

ipconfig/all

, which will display more details about the IP address

conﬁguration. Under the heading “Ethernet adapter Local Area Connection” ﬁnd the

Physical Address, this is the MAC address of your NIC. Next, ﬁnd the IPv4 Address

and the Default Gateway.

C:\Users\Administrator\

dir

Type

dir

which will list all ﬁles and folders in the current directory.

Using ping to Verify Network Layer Connectivity

You will use the ping command to verify network layer connectivity and that the host

computer can connect to the network resources. When using ping, the system sends an

ICMP echo request to the target; this can be done using a host name or IP address. Ping can

also be used to troubleshoot network problems and incompatible conﬁgurations. It is usually

best to verify that a connection exists between the local computer and a network host by ﬁrst

using the ping command and the IP address of the network host to which you want to

connect. In this task, you use ping to verify local host settings, network connectivity to the

default gateway, and a remote host to see if it responds.

At the prompt, type

ping 127.0.0.1

and press Enter. Pinging the loopback

address will verify the TCP/IP socket on the local computer.

Next, you will ping the IP address of the local host by typing

ping 192.168.12.11

and pressing Enter.

Next, you will ping the IP address of the default gateway by typing

ping

192.168.12.1

and pressing Enter.

Ping the IPv4 address of the External 131.107.0.200 Windows Server machine by

typing

ping 131.107.0.200

which is a remote host. Pinging this host will verify

that you can communicate outside of your local network.

Click on the External 131.107.0.200 Windows Server machine from the topology.

Click the Send Ctrl+Alt+Delete button on the top right corner.

P@ssw0rd

Click on Start. In the Search dialog box, type

cmd

and press Enter to open the

command prompt.

Ping the IP address of Internal 192.168.12.11 Windows Server by typing

ping

192.168.12.11

and press Enter. Due to ﬁrewall settings and security reasons for not

allowing external hosts to be able to access an internal network, the ping return will

not be successful.

C:\Users\Administrator\

dir



Using the arp Command to Inspect and Clear the Cache

Created by the ARP Protocol

Use the arp Command to View and Clear the arp Cache

In a previous lab exercise, you found the hardware address for your network adapter, the

hardware address is also known as a MAC address. The ARP protocol typically maintains a

cache of IP to MAC address mappings on the local computer. Remember all hosts must have

both a MAC address and an IP address to communicate with other hosts. Given the IP

address of a host, the ARP protocol can discover the MAC address of another host on the

same physical network. ARP tables and caches are built by the protocol on each computer to

maintain the mappings of IP to MAC address so repetitive ARP broadcast requests can be

diminished. The arp command is used to view and manipulate the contents of the arp cache.

The ARP protocol deﬁnes the message format and its meaning.

Type

dir

which will list all ﬁles and folders in the current directory.

On the Internal 192.168.11 Windows Server. Click on Start. In the Search dialog box,

type

cmd

and press Enter to open the command prompt.

At the prompt, type

arp -a

(note there is a space between the p and the dash) and

press Enter. The

arp -a

command displays the current contents of the ARP cache

on your computer.

Use a Network Packet Analyzer: Wireshark to Examine the

ARP Protocol

Launching and Conﬁguring Wireshark

Wireshark is a network packet analyzer that captures packets and allows you to examine their

contents. A network packet analyzer will capture network packets and displays that packet

data as detailed as possible. In this task, you will use Wireshark to capture ARP packets and

examine operation of the protocol.

Note: In order to observe your computer sending and receiving ARP messages, you

will need to clear the ARP cache, otherwise, your computer is likely to ﬁnd a

needed IP–Ethernet address translation pair in its cache and consequently not need

to send out an ARP message. You will be using a network packet analyzer,

Wireshark, to observe ARP.

On the desktop, double-click the Wireshark icon to launch the program.

Click on Capture Options on the main page of Wireshark and in the Capture Filter

dialog box, type

arp

(must be lowercase). The capture ﬁlter is set to arp to prevent

the capture of other trafﬁc your computer may send or receive for easier tracking of

ARP packets.

Next, double-click on the Local Area Connection.

On the Edit Interface Settings page, uncheck Capture Packets in promiscuous mode.

This mode is useful to allow your system to listen to packets sent to/from other

computers on broadcast networks, but in this case, you only want to record packets

sent to/from your computer. Leave other options at their default values. Click OK.

Next, click the Start button at the bottom-right corner of the Capture Options page

to start the capture.

Examining the ARP Protocol Using Wireshark

Ping the Internal 192.168.12.10 Windows Server machine by typing

ping

192.168.12.10

and press Enter.

Type the command,

arp -a

and press Enter, to view the current entries in the ARP

cache.

Type the command,

arp –d

and press Enter to clear the arp cache. If you do not

clear the cache, the stored ARP records will prevent the system from needing to send

ARP requests to map the IP address to MAC addresses on local machines because

they will already exist.

Ping the Internal 192.168.12.10 Windows Server machine by typing

ping

192.168.12.10

and press Enter. This will force the system to send ARP messages to

other systems on your local network and you will be able to capture the packets to

examine the ARP trafﬁc. Watch the Wireshark program as it captures packets.

Ping the External 131.107.0.200 Windows Server machine by typing

ping

131.107.0.200

and press Enter. This will also force the system to send ARP

messages to other systems on your local network and you will be able to capture the

packets to examine the ARP trafﬁc. Watch the Wireshark program as it captures

packets.

On Wireshark, click the red square to stop the capture when you see the ARP trafﬁc

showing up in Wireshark.

On the Internal 192.168.12.11 Windows Server machine, in the open command prompt

window, type

ipconfig /all

and press Enter to view the Physical Address (MAC

Address) of the system and IP address of the default gateway.

To make it easier to view ARP requests that originate from your computer or are

destined to your computer, create another ﬁlter. To do this, near the top of the main

page, click in the Filter text input area and add the Physical Adress (MAC Address)

from Step 6, this will ﬁlter only captures for your system. The below screenshot is an

example of the ﬁlter syntax is eth.addr==01:02:03:04:05:06. Then, click Apply.

Note: you might not get the same get the same Physical Address as the screen shot

when you perform Step 6. Use the Physical Address (MAC Address) in the

Wireshark Filter.

Now you will examine the ARP packets for the default gateway. ARP uses two types

of packets: the request packet and the reply packet. You will examine both types.

Refer to Step 6 where you recorded the default gateway IP address information.

Review the ﬁltered captures in Wireshark to ﬁnd one that is an ARP request for the

default gateway. ARP requests will start with “Who has xxx.xxx.xxx.xxx” so you will

look for the one that has the IP address of the default gateway.

Note: On the Wireshark capture window, there are three panes: The top pane is the

summary information for each capture; the middle pane is detailed information

about the highlighted captured packet; the lower pane is the packets byte pane

and shows the packet information in hexadecimal.

In the top pane, look for an ARP request for 192.168.12.1 (the default gateway) and

select it. Then, click on the + sign next to Address Resolution Protocol (request) in

the middle pane to expand it and examine the ﬁeld details of the ARP request.

Note: Now you will examine an ARP reply packet. The ARP reply will be a response

to the request and will have the sender and target information reversed. The reply

will be answering the question, “Who has xxx.xxx.xxx.xxx with the original target’s

IP address at the physical address (MAC) location?”

In the top pane, look for an ARP reply (IP is at MAC) and select it. Click on the +

sign next to Address Resolution Protocol (reply) in the middle pane to expand it and

examine the ﬁeld details of the ARP reply.

Capture and Analyze Transport Layer Protocol Packets

Capture and Analyze TCP Session Establishment and Data Segment

Exchange

In this task, you examine both TCP and UDP packets. These are

transport layer protocols

TCP provides guarantees in its delivery and it creates a point-to-point connection between

Close Wireshark.

two hosts. Using a three-way handshake, TCP establishes a session between two hosts. Once

the session is established, the hosts can exchange data, and then when the session is

ﬁnished, TCP closes the session. TCP takes the messages being exchanged between the

hosts, disassembles, and reassembles them using sequential numbering and

acknowledgement of receipt of the data segment. TCP segments are encapsulated into an IP

datagram.

TCP uses speciﬁc program ports for data delivery and the pairing of IP addresses, and TCP

ports allows TCP to manage multiple connections. TCP ports include FTP (20, 21), Telnet

(23), and Web Services – HTTP (80). In this task, you will use Wireshark to capture a series of

TCP segments and examine the three-way handshake, acknowledgments, and the

termination of the session.

On the desktop of the Internal 192.168.12.11 Windows Server machine, double-click

the Wireshark icon to launch the program.

Click on Capture Options on the main page of Wireshark, and in the Capture Filter

dialog box, type

tcp

(must be lowercase). Click the Start button.

Click on the icon for Windows Internet Explorer to open your browser. Wait one

minute to allow Wireshark to capture packets.

In the URL bar, type

http://www.isp.com

.



On Wireshark, press the red square to Stop the capture.

You will use the captured packets to examine the TCP protocol operation. You can

see the initial three-way handshake containing a TCP SYN message and a returning

TCP SYN/ACK from the web server and the ﬁnal ACK from the client.

Select Analyze -> Enabled Protocols.

Scroll down to HTTP, uncheck the box, and then click OK. That will remove all the

HTTP packet captures from the top pane so you can focus on just the TCP segments.

The list of Wireshark packets will be displayed.

In the top pane, highlight the ﬁrst TCP [SYN]. Then, click on the + sign next to

Transmission Control Protocol in the middle pane to expand it and to examine the

ﬁeld details of the TCP segment.

Close Wireshark by clicking the X box in the upper right corner. A message box will

appear click Quit without Saving.

Capture and Analyze a UDP Datagram

Another transport layer protocol is UDP. UDP is used by some programs instead of TCP for

fast, lightweight, unreliable transportation of data between hosts. UDP provides a

connectionless datagram that offer best-effort delivery, which means that UDP does not

guarantee delivery or verify sequencing for any datagrams. There are no SYNs or ACKs used

by the UDP protocol and know what to sequentially organization the reassembly of the data

so the UDP protocol data unit is a datagram not a segment.

On the Internal 192.168.12.10 Windows Server machine desktop, double-click the

Wireshark icon to launch the program.

Click on Capture Options on the main page of Wireshark, and in the Capture Filter

dialog box, type

udp

(must be lowercase). Click the Start button.

Wait one minute for UDP trafﬁc to be generated (as seen below), then select

Analyze -> Enabled Protocols.

Scroll down to DNS, uncheck the box, and then click OK. That will remove all the

DNS packet captures from the top pane so you can focus on just the UDP datagrams.

Note: It might take 1-2 minutes to generate the needed UDP trafﬁc.

Select a datagram and view the UDP header. In the top pane, highlight any UDP

datagram.

Click on the + sign next to User Datagram Protocol in the middle pane to expand it

and to examine the ﬁeld details.

Note: Press the STOP button to complete the lab.